diff --git a/modules/logging-bucket/README.md b/modules/logging-bucket/README.md
index c8ad5d8d2..abd1a4fd2 100644
--- a/modules/logging-bucket/README.md
+++ b/modules/logging-bucket/README.md
@@ -118,17 +118,18 @@ module "bucket" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
-| [name](variables.tf#L61) | Name of the logging bucket. | string | ✓ | |
-| [parent](variables.tf#L66) | ID of the parent resource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | |
+| [name](variables.tf#L71) | Name of the logging bucket. | string | ✓ | |
+| [parent](variables.tf#L76) | ID of the parent resource containing the bucket in the format 'project_id' 'folders/folder_id', 'organizations/organization_id' or 'billing_account_id'. | string | ✓ | |
| [context](variables.tf#L17) | Context-specific interpolations. | object({…}) | | {} |
| [description](variables.tf#L32) | Human-readable description for the logging bucket. | string | | null |
| [kms_key_name](variables.tf#L38) | To enable CMEK for a project logging bucket, set this field to a valid name. The associated service account requires cloudkms.cryptoKeyEncrypterDecrypter roles assigned for the key. | string | | null |
| [location](variables.tf#L44) | Location of the bucket. | string | | "global" |
-| [log_analytics](variables.tf#L50) | Enable and configure Analytics Log. | object({…}) | | {} |
-| [parent_type](variables.tf#L74) | Parent object type for the bucket (project, folder, organization, billing_account). | string | | "project" |
-| [retention](variables.tf#L81) | Retention time in days for the logging bucket. | number | | 30 |
-| [tag_bindings](variables.tf#L87) | Tag bindings for this bucket, in key => tag value id format. | map(string) | | {} |
-| [views](variables.tf#L94) | Log views for this bucket. | map(object({…})) | | {} |
+| [locked](variables.tf#L50) | Whether the bucket is locked. Locked buckets may only be deleted if they are empty. This can only be set for project-level buckets. | bool | | null |
+| [log_analytics](variables.tf#L60) | Enable and configure Analytics Log. | object({…}) | | {} |
+| [parent_type](variables.tf#L84) | Parent object type for the bucket (project, folder, organization, billing_account). | string | | "project" |
+| [retention](variables.tf#L91) | Retention time in days for the logging bucket. | number | | 30 |
+| [tag_bindings](variables.tf#L97) | Tag bindings for this bucket, in key => tag value id format. | map(string) | | {} |
+| [views](variables.tf#L104) | Log views for this bucket. | map(object({…})) | | {} |
## Outputs
diff --git a/modules/logging-bucket/main.tf b/modules/logging-bucket/main.tf
index c5f2bca6c..0c1148a6d 100644
--- a/modules/logging-bucket/main.tf
+++ b/modules/logging-bucket/main.tf
@@ -51,6 +51,7 @@ resource "google_logging_project_bucket_config" "bucket" {
bucket_id = var.name
description = var.description
enable_analytics = var.log_analytics.enable
+ locked = var.locked
dynamic "cmek_settings" {
for_each = var.kms_key_name == null ? [] : [""]
content {
diff --git a/modules/logging-bucket/variables.tf b/modules/logging-bucket/variables.tf
index c5938c818..3cc60d55b 100644
--- a/modules/logging-bucket/variables.tf
+++ b/modules/logging-bucket/variables.tf
@@ -47,6 +47,16 @@ variable "location" {
default = "global"
}
+variable "locked" {
+ description = "Whether the bucket is locked. Locked buckets may only be deleted if they are empty. This can only be set for project-level buckets."
+ type = bool
+ default = null
+ validation {
+ condition = var.parent_type == "project" || var.locked == null
+ error_message = "The 'locked' attribute can only be set for project-level buckets."
+ }
+}
+
variable "log_analytics" {
description = "Enable and configure Analytics Log."
type = object({